Rootkits: What they are and how to find them Part 1

Rootkits:
What they are and how to find them
or
check yo self before you wreck yo self!
Part 1
Xeno Kovah –2010
xkovah at gmail
Ice Cube is a Friendly Rootkit
Advocating for Rootkit Detection!
You betta check yo self
fore you wreck yo self
cause I'm bad for your health
I come real stealth
:
O
http://www.youtube.com/watch?v=AJR62vsAg-0
2
All materials is licensed under a Creative
Commons Share Alike license.
•  http://creativecommons.org/licenses/by-sa/3.0/
3
May your skill tree overgroweth…
YOU
ARE
HERE
:D
4
About Me
•  Security nerd - generalist, not specialist
•  Been following rootkits for quite a while, but
mostly as just a side thing to keep an eye on.
But therefore I was ready to strike when some
work came up in the area.
•  Mostly made of 4 elements - Carbon,
Hydrogen, Nitrogen, and…Oxygen!
•  http://www.youtube.com/watch?
v=d0zION8xjbM#t=2m21s
5
About You?
•  Name & Department
•  Why did you want to take the class?
•  Which jelly belly flavors do you hate?
(Because I decided the "which is your
favorite" is too hard a question)
6
7
Agenda
• 
• 
• 
• 
Day 1 - Part 1 - Rootkit stuff
Day 1 - Part 2 - More rootkit stuff
Day 2 - Part 3 - ???
Day 2 - Part 4 - Profit!
8
Miss Alaineous
•  Questions: Ask em if you got em
–  If you fall behind and get lost and try to tough it out until you
understand, it s more likely that you will stay lost, so ask
questions ASAP.
•  Browsing the web and/or checking email during class
is a good way to get lost ;)
•  2 hours, 10 min break, 1.5 hours, lunch, 1 hour w/ 5
min break thereafter
9
What does it all mean?!?!
•  Try to have a little more practical class
•  Practical in the sense that one way or another you'll
learn about new tools and how you can use them to
detect rootkits.
•  But simultaneously I want to reinforce how much
better off you are for having taken the other classes ;)
•  Don't have enough time to get heavy into the
attribution of changes. That would be things like
"What module allocated this memory? Where in the
module is the code which causes the changes?" etc
–  Also need the RE class for that. You DID register for the RE class already
didn't you?
10
why, Why, WHY!?!?
Why have a homework before anyone has learned anything?!
•  Understand what people (sponsors/
subordinates/you) would actually go through/
see when trying to detect rootkits (if they even
knew to try.)
•  Understand that some tools are more equal
than others when it comes to detecting things,
and the danger of a false sense of security.
•  Provide a concrete before-and-after picture of
the necessity of this type of information for
even being able to understand what the good
tools are trying to tell you
•  Have the tools in-hand to then apply them to
other systems
11
Watchugot? Watchuget?
•  You ve got:
–  Rootkits VM
•  You're going to get
–  Anonymized homework writeups from everyone in all the
instances of this class
–  Rootkit detector capability comparison matrix
–  TiddlyWiki describing how to install the rootkits (targeted at
other instructors) + some reverse engineering rootkit
material cut from the RE class
–  A collection of more detectors, and a collection of more
proof-of-concept rootkits from places like rootkit.com (be
warned, some of the PoCs will be detected by AV, so don't
use on your work laptop.)
–  Eventually, 2nd "for fun" rootkit VM :D, which still just uses
techniques from this class, but takes away most of the easy
win detection mechanisms
12
Textbook pros/cons
13
2005 - Rootkits: Subverting the Windows
Kernel
•  Pro: Written by two people who
contributed a lot to the foundations of
understanding what s possible with
rootkits
•  Con: …but starting to show its age, with
lack of many newer techniques.
•  Con: Without existing OS internals
knowledge, could be too much complexity
too fast. Windows Internals book by MS
definitely helps to explain what they re
talking about at some points.
14
2007 - Professional Rootkits
•  Pro: Builds up a rootkit of increasing
capabilities, with explanations of the
code
•  Cons: Adds nothing new to the field,
just basically a reference for example
code for the most stable versions of
various techniques (not always the most
stealthy techniques.)
•  E.g. the type of thing which can be used
to make the Sony Rootkit style software
15
2009 - The Rootkit Arsenal: Escape and Evasion
in the Dark Corners of the System
•  Pro: More inclusive of newer techniques like bootkits than the
Hoglund/Butler book.
•  Pro/Con: Comes with lots of code, BUT…Doesn t allow you to
download the code from anywhere, so if you want to experiment
with it, you have to re-type it (or go find the original)
•  Con: A bunch of the code is apparently just re-written from other
people s example code (e.g. files on rootkit.com). Also either
doesn t know how to program (use -> not *. in C!) or he was just
trying to further obfuscate ripped off code.
•  Con/Pro: Author comes from a forensics background rather than
having OS knowledge, and thus he throws in a bunch of
forensics stuff (which I question the relevance of, because I
consider anti-forensics to be its own separate field from rootkit
hiding). But if you haven't had exposure to anti-forensics, then
it's a pro as you can learn more.
16
2010 - Hacking Exposed: Malware &
Rootkits
•  Pro: Good up to date reference which covers
rootkits as they are seen in the wild, with many
references to specific malware instances
•  Pro/Con: Overall does a decent job, but while
rootkits are sexy and therefore get cover billing,
they re still a minority content area (around 120
pages of how rootkits work and 34 pages of
detection).
•  Con: A lot of the detection recommendations
are un-actionable, though that s a problem for
anyone talking about the area.
•  Con: Almost no source code
17
What is a rootkit?
(or more importantly, how will I define it for this class)
• 
• 
• 
• 
• 
It s an overused term is what it is
It's neither a root, nor a kit
An attacker tool
NOT how they get root
"A rootkit is a set of programs which *PATCH* and
*TROJAN* existing execution paths within the
system. This process violates the *INTEGRITY* of
the TRUSTED COMPUTING BASE (TCB)." - Greg
Hoglund, http://www.phrack.com/issues.html?
issue=55&id=5
•  The only universal truth about rootkits is that they
are trying to hide the attacker s presence
•  2 basic categorization schemes though
18
TAXONOMY?!
19
http://spennypost.blogspot.com/2010/10/fbu-bonfire-night-strike.html
Lord of the rings around the rosie
• 
• 
• 
Ring 3 – Userspace-Based
Ring 0 – Kernel-Based
Ring -1 – Virtualization-Based
–  Intel VT-x(Virtualization Technology for x86), AMD-V (AMD Virtualization), Hypervisor subverted
• 
"Ring -1.5?" - Post-BIOS, Pre OS/VMM
–  e.g. Master Boot Record (MBR) "bootkit"
–  Peripherals with DMA(Direct Memory Access) (this can be ring 0, -1, or -1.5 depending on
whether VT-d is being used)
–  Not a generally acknowledged "ring", but the place I think it fits best
• 
• 
Ring -2 – System Management Mode (SMM)
"Ring -2.5" - BIOS (Basic Input Output System), EFI (Extensible Firmware Interface)
–  because they are the first code to execute on the CPU and they control what gets loaded into
SMM
–  Not a generally acknowledged "ring", but the place I think it fits best
• 
Ring -3 – Chipset Based
–  Intel AMT(Active Management Technology)
But BIOS could use VT-d to prevent DMA, and it initializes peripherals, so…?
Yeah, things get squishy at the bottom with non-real-rings.
20
Stealth Malware Taxonomy
Joanna Rutkowska 2006
•  http://invisiblethings.org/papers/malware-taxonomy.pdf
• 
• 
• 
• 
Type 0: Uses only legitimate system features
Type 1: Modifies things which should be static
Type 2: Modifies things which are dynamic
Type 3: Exists outside the operating system
•  Type 4: Exists outside the main CPU/RAM
–  Added by me
21
Example Type 0 Malware
•  Spyware
–  There's nothing illegitimate about a cell phone map application
wanting to access your location data to show the local map. It's
only when it starts sending that location with your PII to a 3rd party
location that it starts to become questionable.
•  Trojans
–  There's nothing illegitimate about allowing users to install
programs. And there's no realistic way for a user to assess the full
extent of all that program's capabilities. When a program contains
capabilities which arguably have nothing to do with its advertised
purpose, that's when it becomes questionable.
•  Bots
–  There's nothing illegitimate about allowing an application to make
network connections. It's only when it's making thousands of them
as a part of a DDoS that's when it becomes questionable.
•  Hide in plain sight
–  Programs can name themselves whatever the developer wants. But
when the developer wants it to be named misleadingly similar to a
"trusted" software vendor like Microsoft's files, that's when it
becomes questionable.
22
Detecting Type 0
•  Out of scope for the taxonomy ;)
–  Also mostly out of scope for this class
•  Blacklisting
–  Signature-based Anti-Virus
•  Behavioral analysis
–  Triumfant, QualysGuard, most AV to some
degree
•  Filesystem integrity checking
–  Tripwire, Bit9, SolidCore (for HBSS)
23
Why is Type 0 going undetected?
•  Companies are overly invested in
blacklisting technology. Explosion in
polymorphism undermining signaturebased approaches.
•  Whitelisting technologies often require
dedicated maintainers to understand
expected or known good state.
Thus they are typically not targeted at
home users.
24
Stealth Malware Taxonomy
Joanna Rutkowska 2006
•  http://invisiblethings.org/papers/malware-taxonomy.pdf
• 
• 
• 
• 
Type 0: Uses only legitimate system features
Type 1: Modifies things which should be static
Type 2: Modifies things which are dynamic
Type 3: Exists outside the operating system
•  Type 4: Exists outside the main CPU/RAM
–  Added by me
25
Example Type 1 Malware
•  Most in-the-wild rootkits are a mix of
Type 1 and Type 2
•  The following are a quick glimpse at
some of the techniques we're going to
be looking at in this class.
26
IAT Hook
27
From: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Silberman-Butler.pdf
SSDT Hook
28
From: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Silberman-Butler.pdf
Inline Hook
29
From: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Silberman-Butler.pdf
Bootkit Lives here (from disk), but in order to do anything of consequence it has to keep
hooking each subsequent thing to keep control.
30
From http://www.stoned-vienna.com/downloads/Presentation.pdf
Detecting Type 1
•  GMER - My favorite (www.gmer.net)
–  Here comes a new challenger! Virus Blok Ada (the people
who found Stuxnet) have been significantly improving their
anti-rootkit (Vba32arkit.exe), and since it has extra removal
capabilities built in, I'm diggin' it. Shoryuken!
•  Tuluka, GMER, RootkitUnhooker, IceSword, Helios Lite,
RootkitRevealer, System Virginity Verifier(SVV), WinDbg !
chkimg, VICE, RAIDE, chkrootkit, etc,
•  See http://www.antirootkit.com/software/index.htm and http://
ntinternals.org/anti_rootkits.php
•  [VMWatcher] for out of band integrity checks
•  Strider [GhostBuster] for cross-view of hiding things on
disk (but you can generally detect bootkits with memory
integrity checks, and you can’t get GhostBuster anyway)
31
Preventing Type 1
•  PatchGuard. Windows x64
–  Unintended consequences? Pushes Type
1 to Type 0 or Type 2?
–  Still need detection? x64 bootkit in the wild
[3]
•  [NICKLE]. Assumes virtualized system
–  What about VM escape? Still need
detection?
–  [HyperSentry]
32
Why are Type 1 going undetected?
•  None of the previously listed software is
meant to be run in an enterprise;
they re meant to be run manually on
single systems.
•  The best detectors need deep system
knowledge in order to interpret the
results. Administrators may not have
this knowledge.
33
Stealth Malware Taxonomy
Joanna Rutkowska 2006
•  http://invisiblethings.org/papers/malware-taxonomy.pdf
• 
• 
• 
• 
Type 0: Uses only legitimate system features
Type 1: Modifies things which should be static
Type 2: Modifies things which are dynamic
Type 3: Exists outside the operating system
•  Type 4: Exists outside the main CPU/RAM
–  Added by me
34
Example Type 2 Malware
•  Direct Kernel Object Manipulation
[DKOM]
–  Developed specifically to avoid using Type
1 hooking, because it was recognized to be
eminently detectable (presented hook
detector VICE at same time)
•  Kernel Object Hooking [KOH]
–  Generalization of existing techniques, with
suggestions of some example Windows
objects to hook
35
Process Linked List Before DKOM
36
From: http://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf
Process Linked List After DKOM
37
From: http://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf
KOH
•  Hook function pointers in dynamically allocated objects
in the kernel
•  typedef struct {
SHORT
Type;
UCHAR
Number;
UCHAR
Importance;
LIST_ENTRY
DpcListEntry;
PKDEFERRED_ROUTINE
DeferredRoutine;
PVOID
DeferredContext;
PVOID
SystemArgument1;
PVOID
SystemArgument2;
PULONG
Lock;
} KDPC, *PKDPC;
38
Detecting Type 2
•  Plenty of things handle canonical DKOM
through cross-view detection
–  VBA32AR, GMER, IceSword, RootkitRevealer,
F-Secure BlackLight, Sophos Anti-Rootkit, etc
•  In some cases you may be able to
automatically infer semantic constraints on
data structures and verify them at runtime
[Petroni][LKIM]
•  Recent academic interest in KOH
–  [HookMap], [HookSafe], [HookScout]
39
Why are Type 2 going undetected?
•  Same reasons as for Type 1, and…
•  No good tools to detect KOH. Detecting
KOH system-wide (as opposed to
specific things attackers are known to
use) looks like it could induce
unacceptable performance penalty.
Also KOH detection could be more
prone to race conditions, and attempts
to eliminate these conditions would add
more performance overhead. More work
needed there.
40
Stealth Malware Taxonomy
Joanna Rutkowska 2006
•  http://invisiblethings.org/papers/malware-taxonomy.pdf
• 
• 
• 
• 
Type 0: Uses only legitimate system features
Type 1: Modifies things which should be static
Type 2: Modifies things which are dynamic
Type 3: Exists outside the operating system
•  Type 4: Exists outside the main CPU/RAM
–  Added by me
41
Example Type 3 Malware
• 
Ring -1 – Virtualization-Based
–  Intel VT-x(Virtualization Technology for x86), AMD-V (AMD
Virtualization), Hypervisor subverted
•  "Ring -1.5?" - Post-BIOS, Pre OS/VMM
–  e.g. Master Boot Record (MBR) "bootkit"
–  Peripherals with DMA(Direct Memory Access) (this can be ring 0,
-1, or -1.5 depending on whether VT-d is being used)
–  Not a generally acknowledged "ring", but the place I think it fits best
•  Ring -2 – System Management Mode (SMM)
•  "Ring -2.5" - BIOS (Basic Input Output System), EFI (Extensible
Firmware Interface)
–  because they are the first code to execute on the CPU and they
control what gets loaded into SMM
–  Not a generally acknowledged "ring", but the place I think it fits best
• 
Ring -3 – Chipset Based
–  Intel AMT(Active Management Technology)
42
43
From http://www.invisiblethingslab.com/resources/bh07/IsGameOver.pdf
44
From http://www.invisiblethingslab.com/resources/bh07/IsGameOver.pdf
Batteries Not
Included!
45
From http://support.amd.com/us/Processor_TechDocs/24593.pdf
Detecting Type 3 – Ring -1
•  Due to hype surrounding ring -1 rootkits, people
had incentive to find them.
•  Don t Tell Joanna, The Virtualized Rootkit Is
Dead [8]
–  Exhibits same misunderstanding of technically
detectable vs people can actually detect it in
practice
•  Timing side-effect detection
•  Compatibility is Not Transparency: VMM
Detection Myths and Realities [9]
•  In addition some people have suggested the
classic approach of just go lower , as in, scan
from ring -2 or ring -3 (e.g. [DeepWatch])
46
Prevent/Detect Type 3 – Ring -2
•  There are mechanisms in both Intel and AMD s
virtualization extensions to deprivilege the code
running in SMRAM, by basically virtualizing it, and
limiting the code s view of memory so that it can t
scribble on your OS/hypervisor.
–  AMD also has an option for the hypervisor to intercept
SMIs and fake out a transition directly to SMM without
requiring writing the separate minimal hypervisor which
lives in SMM – talk on *implementing* this at
ShmooCon 2010 [SMMshmoo]
•  Not aware of any commercial vendors who do this
yet.
•  Can theoretically just integrity check SMRAM, iff
you have access, which requires getting there first,
or going through the same hole as an attacker
47
48
From http://www.invisiblethingslab.com/resources/bh09usa/Ring%20-3%20Rootkits.pdf
FIXME: add NIC infection
49
FIXME: add KBC infection
50
Detecting Type 4 – Ring -3
•  Use other ring -3 detectors and get
there first? TPM can verify a compatible
BIOS, but what about everything else?
[DeepWatch] wasn t designed for it, but
can it help?
•  Self-attestation [SWATT][SBAP]
[Pioneer]
•  SOL?
•  Too soon to say
51
Why are Type 3 & 4 going
undetected?
•  Cache 22? Not looking for them in the
wild because we re not hearing about
them being found in the wild?
•  Even if we want to look for them, there
are no tools to help us do so. Have to
roll your own.
•  Level of development effort and
hardware-dependencies probably
indicates they will only be used in highly
targeted attacks.
52
Stealth Malware Taxonomy
Joanna Rutkowska 2006
•  http://invisiblethings.org/papers/malware-taxonomy.pdf
• 
• 
• 
• 
Type 0: Uses only legitimate system features
Type 1: Modifies things which should be static
Type 2: Modifies things which are dynamic
Type 3: Exists outside the operating system
•  Type 4: Exists outside the main CPU/RAM
–  Added by me
53
They Might Be Giants:
Where your eyes don't go
(rootkit themesong as far as I'm concerned)
• 
Where your eyes don't go a filthy scarecrow waves its broomstick arms
And does a parody of each unconscious thing you do
When you turn around to look it's gone behind you
On its face it's wearing your confused expression
Where your eyes don't go
Where your eyes don't go a part of you is hovering
It's a nightmare that you'll never be discovering
• 
Should you worry when the skullhead is in front of you
Or is it worse because it's always waiting where your eyes don't go?
• 
http://www.youtube.com/watch?v=hqY3kASMFW8
54
Spoiler Alert
•  There are ~8 rootkits leveraging ~10
techniques in the example VM,
depending on how you count.
55
•  What If…we ran GMER on our example
VM?
•  (Note to self, try and crowdsource the 56
interpretation to start with)
Inline Hooks
PE section where
the hook resides
module within
process memory
process name
process ID (PID)
function name
within module
number of bytes
that changed
specific virtual memory
address where the
change is found
if control flow redirect
(call, jmp)
module space where
it's redirected to
if it is within a module
address range
interpretation of
changed bytes
(if possible)
57
Book page 340
!chkimg
•  You can also find modifications to static
code/data areas with the !chkimg
windbg command. It checks the version
in memory against the file on disk
58
System Virginity Verifier
•  http://invisiblethings.org/tools/svv/
svv-2.3-src.zip
•  http://invisiblethings.org/papers/
rutkowska_bhfederal2006.ppt
•  Like !chkimg but tries to apply some
heuristics to the modifications it found to
apply a severity score.
59
False Positives
McAfee HBSS HIPS
60
Stuxnet use of inline hooks
•  From the Stuxnet Dossier: http://www.symantec.com/content/en/us/
enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
•  "~WTR4141.tmp then loads ~WTR4132.tmp, but before doing
so, it attempts to hide the files on the removable drive. Hiding
the files on the removable drive as early in the infection process
as possible is important for the threat since the rootkit
functionality is not installed yet, as described in the Windows
Rootkit Functionality section. Thus, ~WTR4141.tmp implements
its own less-robust technique in the meantime.
•  WTR4141.tmp hooks the following APIs from kernel32.dll and
Ntdll.dll:
•  From Kernel32.dll
–  FindFirstFileW
–  FindNextFileW
–  FindFirstFileExW
•  From Ntdll.dll
–  NtQueryDirectoryFile
–  ZwQueryDirectoryFile"
61
Go with what you know…
Import Address Table (IAT) Hooks
This is the address in the IAT
pointing somewhere other than
where it should (based on the
Exports Address Table (EAT)
of the exporting module
This is the module
doing the importing
Telling you that
this is an IAT hook
Book page 265
If GMER can, it tries to infer
which module space the
function pointer is pointing into.
And if there's version
information in that module, it
pulls that out too
This is the function
being imported by
the first module and
exported by the
second
This is the module
doing the exporting
62
63
Image by Ero Carrera
64
Image by Ero Carrera
Review: Import Descriptor
(from winnt.h)
I think they meant INT
typedef struct _IMAGE_IMPORT_DESCRIPTOR {!
union {!
DWORD
Characteristics;
DWORD
OriginalFirstThunk;
!
!
!
!
!
};!
DWORD
TimeDateStamp;
// 0 for terminating null import descriptor!
// RVA to original unbound IAT (PIMAGE_THUNK_DATA)!
//Xeno Comment: In reality a PIMAGE_THUNK_DATA!
// 0 if not bound,!
// -1 if bound, and real date\time stamp!
//
in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
!
// O.W. date/time stamp of DLL bound to (Old BIND)!
!
DWORD
ForwarderChain;
DWORD
Name;!
DWORD
FirstThunk;
!
!
!
} IMAGE_IMPORT_DESCRIPTOR;!
!
// -1 if no forwarders!
!
!
// RVA to IAT (if bound this IAT has actual addresses)
!
//Xeno Comment: In reality a PIMAGE_THUNK_DATA!
•  While the things in blue are the fields filled in for the most common case, we
will actually have to understand everything for this structure, because you
could run into all the variations.
65
66
Image by Ero Carrera
Review:
Import data
structures
ON DISK
Import Names Table
(IMAGE_THUNK_DATA array)
Import Address Table
(IMAGE_THUNK_DATA array)
0x014B, IoDeleteSymbolicLink
0x040B, RtlInitUnicodeString
0x01DA, IofCompleteRequest
Array of IMAGE_IMPORT_BY_NAME
Structures stored wherever in the file
IMAGE_IMPORT_DESCRIPTOR
OriginalFirstThunk
TimeDateStamp
ForwarderChain
Name
ntoskrnl.exe
FirstThunk
0
0
Zero-filled
IMAGE_IMPORT_DESCRIPTOR
entry terminates the array
0
0
0
…
67
Graphical style borrowed from the Matt Pietrek articles
Review:
Import data
structures
IN MEMORY
AFTER IMPORTS
RESOLVED
Import Names Table
(IMAGE_THUNK_DATA array)
0x014B, IoDeleteSymbolicLink
0x040B, RtlInitUnicodeString
0x01DA, IofCompleteRequest
Array of IMAGE_IMPORT_BY_NAME
Structures stored wherever in the file
IMAGE_IMPORT_DESCRIPTOR
OriginalFirstThunk
TimeDateStamp
ForwarderChain
Name
Import Address Table
(IMAGE_THUNK_DATA array)
ntoskrnl.exe
FirstThunk
0
IAT entries now
point to the full
virtual addresses
where the
functions are
found in the other
modules (just
ntoskrnl.exe in
this case)
0
Zero-filled
IMAGE_IMPORT_DESCRIPTOR
entry terminates the array
0
0
0
…
68
Graphical style borrowed from the Matt Pietrek articles
Review:
Import data
structures
ON DISK
Import Names Table
(IMAGE_THUNK_DATA array)
Import Address Table
(IMAGE_THUNK_DATA array)
0x014B, NtQuerySysInfo
0x040B, RtlInitUnicodeString
0x01DA, IofCompleteRequest
Array of IMAGE_IMPORT_BY_NAME
Structures stored wherever in the file
IMAGE_IMPORT_DESCRIPTOR
OriginalFirstThunk
TimeDateStamp
ForwarderChain
Name
ntdll.dll
FirstThunk
0
0
Zero-filled
IMAGE_IMPORT_DESCRIPTOR
entry terminates the array
0
0
0
…
69
Graphical style borrowed from the Matt Pietrek articles
Review:
Import data
structures
IN MEMORY
AFTER IMPORTS
RESOLVED
Import Names Table
(IMAGE_THUNK_DATA array)
0x014B, NtQuerySysInfo
0x040B, RtlInitUnicodeString
0x01DA, IofCompleteRequest
Array of IMAGE_IMPORT_BY_NAME
Structures stored wherever in the file
IMAGE_IMPORT_DESCRIPTOR
OriginalFirstThunk
TimeDateStamp
ForwarderChain
Name
Import Address Table
(IMAGE_THUNK_DATA array)
ntdll.dll
FirstThunk
0
IAT entries now
point to the full
virtual addresses
where the
functions are
found in the other
modules (just
ntoskrnl.exe in
this case)
0
Zero-filled
IMAGE_IMPORT_DESCRIPTOR
entry terminates the array
0
0
0
…
70
Graphical style borrowed from the Matt Pietrek articles
Review: IAT Hooking
•  When the IAT is fully resolved, it is
basically an array of function pointers.
Somewhere, in some code path, there s
something which is going to take an IAT
address, and use whatever s in that
memory location as the destination of the
code it should call.
•  What if the whatever s in that memory
location gets changed after the OS loader
is done? What if it points at attacker code?
71
Review: IAT Hooking 2
•  Well, that would mean the attacker s code
would functionally be man-in-the-middle ing
the call to the function. He can then change
parameters before forwarding the call on to the
original function, and filter results that come
back from the function, or simply never call the
original function, and send back whatever
status he pleases.
–  Think rootkits. Say you re calling OpenFile. It
looks at the file name and if you re asking for a file
it wants to hide, it simply returns no file found.
•  But how does the attacker change the IAT
entries? This is a question of assumptions
about where the attacker is.
72
Review: IAT Hooking 3
•  In a traditional memory-corrupting exploit, the attacker is, by
definition, in the memory space of the attacked process, upon
successfully gaining arbitrary code execution. The attacker can
now change memory such as the IAT for this process only,
because remember (from OS class or Intermediate x86) each
process has a separate memory space.
•  If the attacker wants to change the IAT on other processes, he
must be in their memory spaces as well. Typically the attacker
will format some of his code as a DLL and then perform DLL
Injection in order to get his code in other process memory
space.
•  The ability to do something like DLL injection is generally a
prerequisite in order to leverage IAT hooking across many
userspace processes. In the kernel, kernel modules are
generally all sharing the same memory space with the kernel,
and therefore one subverted kernel module can hook the IAT of
any other modules that it wants.
73
Review: DLL Injection
•  See http://en.wikipedia.org/wiki/
DLL_injection for more ways that this
can be achieved on Windows/*nix
•  We re going to use the AppInit_DLLs
way of doing this, out of laziness
•  (Note: AppInit_DLLs' behavior has
changed in releases > XP, it now has to
be enabled with Administrator level
permissions.)
74
Review: Lab: IAT hooking
•  http://www.codeproject.com/KB/vista/api-hooks.aspx
–  This will hook NtQuerySystemInformation(), which is what taskmgr.exe uses in
order to list the currently running processes. It will replace this with
HookedNtQuerySystemInformation(), which will hide calc.exe
–  I modified that code to use IAT hooking rather than inline (which is much simpler
actually)
•  Steps:
–  Compile AppInitHookIAT.dll
–  Place at C:\AppInitHookIAT.dll for simplicity
–  Use regedit.exe to add C:\AppInitHookIAT.dll as the value for the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
\CurrentVersion\Windows\AppInit_DLLs (if there is already something there,
separate the entries with a comma)
–  Start calc.exe, start taskmgr.exe, confirm that calc.exe doesn't show up in the list
of running processes.
–  Remove C:\AppInitHookIAT.dll from AppInit_DLLs and restart taskmgr.exe.
–  Confirm calc.exe shows up in the list of running processes.
–  (This is a basic "userspace rootkit" technique. Because of this, all entries in this
registry key should always be looked upon with suspicion.)
75
Go with what you know: IDT
If we had run the bhwin_keysniff from IntermediateX86 we would
have seen the following:
As it is, we see something like:
This indicates that interrupt index 0xE in the Interrupt Descriptor
Table (IDT) does not point as its normal location, it points at
memory address 0xF9F55A40, and GMER has not been able to
determine which driver, if any, is associated with that memory
range (thanks to another rootkit we'll learn about later.)
Let's do a quick review of what we learned about segmentation
and the IDT.
76
Book page 270
Review: Surprise! No one uses segmentation
directly for memory protection! :D
•  On most systems, segmentation is not
providing the primary RWX type permissions,
they instead rely on paging protections.
Vol.3a, Sect.
3.2.1
77
Review: One more time
One of the segment registers
(SS/CS/DS/ES/FS/GS)
The address you see in
assembly instructions
(implicitly with a CS or SS selector)
GDT or LDT
(depending on the TI bit
of the segment selector)
78
Review: GDT & LDT
All entries
in these
tables are
Segment
Descriptor
structures
Special registers
point to the base
of the tables &
specify their size
79
Review: Segment Descriptors
• 
Each segment has a segment descriptor, which specifies the
size of the segment, the access rights and privilege level for the,
the segment type, and the location of the first byte of the
segment in the linear address space (called the base address of
the segment).
Base Address
31:24
Segment
Limit
19:16
Base Address 15:0
Base Address
23:16
Segment Limit 15:0
I approve
of this
summary
80
Review: IDTR Usage
81
Review: Interrupt Gate Descriptor
Note that the two halves
of the offset form a
32 bit address.
Offset 31:16
Segment Selector
(16 bits)
Offset 15:0
Descriptors not in use should have P = 0
Winners don't
use drugs!
82
From IDT to Interrupt Handler
83
Review: IDT Relation to Segments
84
A hint
+
+
=
The IDT change seems to be due to a module called mm.sys
which hooks the Page Fault handler… Hmm…who do we know
85
that might want to do that…
Review: ASCII Art of Dooooom!
86
Book page 516
http://www.phrack.com/issues.html?issue=63&id=8
Missed one!
•  Turns out the GDT is modified to have a call
gate. While you could see this with manual
windbg inspection using the !descriptor plugin
from the Intermediate x86 class, Tuluka also
detects it:
•  Let's go review call gates quick shall we?
87
Book page 308
Review: Call Gates
("I'm down with Bill Gates, I call him Money for short. I phone him up at home, and I make him do my tech support!"
- Weird Al, "It's All About the Pentiums")
• Call gates are basically a way to transfer control from one segment to
another segment (possibly at a different privilege ring, possible at a
different size in terms of whether it's 16/32 bits.)
• But the key point is you don't want people to be able to call to anywhere
in the other segment, you want the interface to be controlled and wellunderstood. So calling to a call gate brings code to a specific place 88
which the kernel has set up.
Review: Call Gates 2
•  The CALL, RET, and JMP x86 instructions have a
special form for when they are doing inter-segment
control flow transfer (normal call, ret, jmps are
intra-segment for reasons which will become clear
shortly.)
•  Each of them takes a single far pointer as an
argument (though in ret's case, it's popping it off
the stack).
•  A call gate expects as many parameters as
specified by the "Param Count" field on the
previous slide (max of 32 due to 5 bit field).
Parameters are just pushed onto the stack right to
left like a normal cdecl/stdcall calling convention.
•  Return value from the far call is returned in eax.
•  __asm{call fword ptr 0x48:0x12345678};
89
Funny thing that…
•  Run GMER while Tuluka is loaded, get:
(With thanks to http://memegenerator.net/yo-dawg/ for making that easy!)
90
A portrait of the rootkit as a young
man in the middle
(CC BY-NC-SA 2.0) image by thrill kills sunday pills
http://www.flickr.com/photos/[email protected]/2994587384/in/photostream/
91
Normal Intra-Module Function Call
WickedSweetApp.exe
…
push 1234
call SomeFunc()
add esp, 4
…
1
SomeFunc:
mov edi, edi
push ebp
2
mov ebp, esp
sub esp, 0x20
…
ret
92
Inline Hooked Intra-Module Function Call
WickedSweetApp.exe
1
…
push 1234
call SomeFunc()
add esp, 4
…
…
SomeFunc:
jmp MySomeFunc
sub esp, 0x20
…
ret
WickedWickedDll.dll
4
3
MySomeFunc:
<stuff>
…
mov edi, edi
push ebp
mov ebp, esp
jmp SomeFunc+5
That reminds me of trig class!
93
Inline Hooked Intra-Module Function Call
WickedSweetApp.exe
1
…
push 1234
call SomeFunc()
add esp, 4
…
…
SomeFunc:
jmp MySomeStuff
sub esp, 0x20
…
ret
WickedWickedDll.dll
4
3
MySomeFunc:
<stuff>
…
mov edi, edi
push ebp
mov ebp, esp
jmp SomeFunc+5
94
Normal Inter-Module Function Call
WickedSweetApp.exe
…
push 1234
call [0x40112C]
add esp, 4
…
Import Address Table
0x40112C:SomeFunc
0x401130:SomeJunk
0x401134:ScumDunk
…
WickedSweetLib.dll
…
SomeFunc:
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0x20
…
ret
95
Normal Inter-Module Function Call
WickedSweetApp.exe
…
push 1234
call [0x40112C]
add esp, 4
…
Import Address Table
0x40112C:MySomeFunc
0x401130:SomeJunk
0x401134:ScumDunk
WickedSweetLib.dll
WickedWickedDll.dll
1
MySomeFunc:
…
call SomeFunc()
…
ret
3
…
SomeFunc:
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0x20
…
ret
…
96
Normal Inter-Module Function Call
WickedSweetApp.exe
…
push 1234
call [0x40112C]
add esp, 4
…
Import Address Table
0x40112C:MySomeFunc
0x401130:SomeJunk
0x401134:ScumDunk
WickedSweetLib.dll
WickedWickedDll.dll
1
MySomeFunc:
…
call SomeFunc()
…
ret
3
…
SomeFunc:
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0x20
…
ret
…
97
Normal Interrupt Event
ntkrnlpa.exe
1: Interrupt
3: Interrupt Return
…
KiTrap03:
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0x20
…
iret
Pop quiz, hot shot. What's the
difference between ntoskrnl.exe
and ntkrnlpa.exe?
98
Hooked Interrupt Event
pwnsauce.sys
1: Interrupt
…
DebugHook:
…
if()
jmp KiTrap03
else
iret
3: Interrupt Return
4: Interrupt Return
ntkrnlpa.exe
…
KiTrap03:
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0x20
…
…
iret
99
Hooked Interrupt Event
pwnsauce.sys
1: Interrupt
…
DebugHook:
…
if()
jmp KiTrap03
else
iret
3: Interrupt Return
4: Interrupt Return
ntkrnlpa.exe
…
KiTrap03:
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0x20
…
…
iret
100
Hooked IDT + inline hook
(not common, just saying. be aware of potential to mix and match techniques)
pwnsauce.sys
1: Interrupt
3/5: Interrupt Return
…
DebugHook:
…
if(){
jmp KiTrap03
DebugHook+x:
…
}else
iret
ntkrnlpa.exe
…
KiTrap03:
mov edi, edi
push ebp
mov ebp, esp
sub esp, 0x20
…
…
jmp DebugHook+x
101
Stuxnet trojaned DLL
•  Stuxnet used forwarded exports for the
93 of 109 exports in s7otbxdx.dll which
it didn t need to intercept.
102
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Stuxnet trojaned DLL 2
103
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Stuxnet trojaned DLL 2
NO! I'm the real
s7otbxdx, I swear!
He's wearing a
mission impossible
style latex mask
104
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Stuxnet trojaned DLL 2
Shut up s7otbxsx!
And btw, what's
PLC's favorite dish?
105
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Stuxnet trojaned DLL 2
It's a Luther Burger.
…Blast!
106
From http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Further Reading
•  Hacker Defender Readme: http://
www.megasecurity.org/trojans/h/
hackerdefender/
Hackerdefender1.00r.html
107
References
(from the early "Rootkits are lame" talk slides)
•  [VMWatcher] http://www.csc.ncsu.edu/faculty/jiang/pubs/CCS07.pdf
•  [NICKLE]: http://friends.cs.purdue.edu/dokuwiki/doku.php?id=nickle
•  [3] TDL rootkit x64 goes wild
http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html
• 
• 
• 
• 
[HyperSentry] http://discovery.csc.ncsu.edu/pubs/ccs10.pdf
[HookMap] http://www4.ncsu.edu/~zwang15/files/raid08.pdf
[HookSafe] http://www4.ncsu.edu/~zwang15/files/ccs09.pdf
[HookScout] http://www.ecs.syr.edu/faculty/yin/pubs/hookscout-dimva10.pdf
108
References 2
(from the early "Rootkits are lame" talk slides)
•  https://www.blackhat.com/presentations/bh-usa-07/Ptacek_Goldsmith_and_Lawson/
[8] Don t Tell Joanna, The Virtualized Rootkit Is Dead
Presentation/bh-usa-07-ptacek_goldsmith_and_lawson.pdf
•  [9]
Compatibility is Not Transparency: VMM Detection Myths and Realities
http://www.usenix.org/event/hotos07/tech/full_papers/garfinkel/garfinkel_html/
•  http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf
[DKOM] VICE – Catch the hookers •  [KOH] Kernel Object Hooking (KOH) Rootkits -
http://www.rootkit.com/newsread.php?newsid=501
•  http://www.blackhat.com/presentations/bh-usa-08/Bulygin/
[DeepWatch] Chipset Based Approach to Detect Virtualization Malware
bulygin_Chip_Based_Approach_to_Detect_Rootkits.pdf
109
References 3
(from the early "Rootkits are lame" talk slides)
•  [SWATT] SWATT: SOFTWARE-BASED ATTESTATION FOR EMBEDDED SYSTEMS,
http://sparrow.ece.cmu.edu/~adrian/projects/swatt.pdf
•  [SBAP] SBAP: SOFTWARE-BASED ATTESTATION FOR PERIPHERALS,
http://sparrow.ece.cmu.edu/group/pub/li_mccune_perrig_SBAP_trust10.pdf
•  [SMMshmoo] Ring -1 vs. Ring -2: Containerizing Malicious SMM Interrupt Handlers on AMD-V,
http://www.shmoocon.org/2010/slides/containerizing.zip
•  [GhostBuster] The Strider GhostBuster Project,
http://research.microsoft.com/en-us/um/redmond/projects/strider/rootkit/
•  [LKIM] Linux kernel integrity measurement using contextual inspection,
portal.acm.org/citation.cfm?id=1314354.1314362
•  [Petroni] An Architecture for Specification-Based Detection of
Semantic Integrity Violations in Kernel Dynamic Data
http://www.usenix.org/event/sec06/tech/full_papers/petroni/
petroni_html/
110